SUNY shares contract with deletable redactions

In response to a Freedom of Information Law request, SUNY Systems Administration provided The Alt a copy of a risk-management consulting contract featuring redactions that, without much effort, we removed. The contract, between consultant The Bonadio Group and the public university system, runs through October and is worth $25,000.

Using Adobe Acrobat Reader DC, a free and widely used PDF viewing software, we selected and deleted what were essentially black highlights covering certain lines of text. (We were also able to remove the redactions with Apple’s Preview application.)

Metadata shows the redactions were applied to the document on July 27 by author “ccadregari.” Carl Cadregari is an executive vice president with The Bonadio Group.

The university had justified the redactions under a provision of state law that allows agencies to withhold information that “if disclosed would cause substantial injury to the competitive position of the subject enterprise,” meaning, in this case, The Bonadio Group.

As it turned out, the redactions—all of which were applied to portions of the project proposal—concealed rather mundane information. One set covered a list of more than 150 of the firm’s past or current clients, including 19 entities affiliated with the university itself, like SUNY Cobleskill’s auxiliary services corporation and the Finger Lakes Community College Student Corporation. Also redacted were The Bonadio Group’s “Standard” and discounted “SUNY” hourly rates, the latter ranging from $120 to $300 depending on the employee’s title and whether the work is done out of office.

Neither The Bonadio Group nor SUNY Systems Administration responded to multiple requests for comment on Tuesday.

“Once it’s disclosed, it’s disclosed,” Kristin O’Neill, assistant director of the state Committee on Open Government, which oversees FOIL, said of the contract. “It’s yours to do with it as you see fit.”

This type of error is “not addressed by the statute,” O’Neill added. “They disclosed it to you. They didn’t, apparently, take steps to ensure the confidentiality of the information.”

John Kaehny, executive director of the good government group Reinvent Albany, estimated that his organization has seen about a half-dozen examples of failed redactions in records obtained from state agencies.

“It’s unusual but not unheard of,” Kaehny said.

Enterprise Risk Management: Too risky to publicize?

The shoddy redactions contrast with SUNY’s vigorous commitment to preventing the release of documents to The Alt about the very initiative to which the contract pertains.

In June 2015, the sprawling, 64-campus system adopted a policy on “enterprise risk management,” which it defines as “a formal and continuous process…designed to identify, assess, prioritize, and manage all risks and opportunities for an institution, not just the risks that are insurable.”

Late last year, SUNY retained The Bonadio Group to advise its ERM steering committee, which meets monthly and includes several members of the chancellor’s cabinet. “We are the external consultant providing guidance, providing some direction,” Carl Cadregari said of the firm’s role at a summer meeting of the Board of Trustees’ audit committee. “And including some of our expertise within the higher education space, cyber security space, the process space, and the overall enterprise risk management space.”

The program has been structured to focus on “19 key strategy areas,” Cadregari said, including information security, affiliated foundations, and human resources. For at least some of these areas, assessments and mitigation plans have already been completed.

In July, The Alt requested copies of those records, along with meeting minutes of the ERM steering committee, under the Freedom of Information Law.

In its response to our request—upheld on appeal by assistant vice chancellor for operations Kellie Dupuis—SUNY withheld those records in their entirety, citing various exemptions to the law. (It did provide steering committee agendas, which we had not requested.)

“If disclosed to the public, SUNY’s plans for identifying, investigating and handling such risks would expose SUNY to the very risks it seeks to mitigate,” Dupuis wrote of the assessments and mitigation plans. “Divulging such information to the public at large would effectively create a new risk.”

Kristin O’Neill said that while it is difficult, without seeing the plans, to offer an opinion on whether their disclosure would harm the university, “it seems odd that you would be able to withhold” them in their entirety. “Perhaps redactions could be made,” she said.

Dupuis essentially marshaled the same rationale—that public disclosure was too risky—to withhold steering committee meeting minutes. (She also said that the committee was not a public body subject to the state Open Meetings Law, a determination O’Neill said was likely correct.)

“Again, I think it’s one of those situations where I find it highly unlikely that the entire record needs to be withheld,” O’Neill said. “They could redact portions of it if they really, sincerely believe that disclosure of certain portions of the minutes” could potentially cause harm or jeopardize security.

“Proprietary” training videos?

Under FOIL, we had also sought copies of a series of brief videos designed to educate SUNY employees on the importance of state-mandatedinternal controls. According to a Sept. 2016 audit committee presentation, the videos were created after an assessment by the ERM steering committee found that required training activities at SUNY’s many campuses varied in frequency, depth, and quality.

A three-question quiz followed each video. The whole package essentially constituted a training course that was to be rolled out last winter to all campuses via the OpenSUNY Blackboard online application, where compliance could be monitored.

Despite the ERM committee member saying nearly a year ago that “all” the videos had been “produced” and that the course had been “created”—an accompanying slideshow even displayed a green checkmark next to “Produce Videos” under the heading “Training Course Status”—assistant vice chancellor Dupuis nonetheless wrote in her Aug. 22 appeal determination that the videos “are still under development.”

Under the Freedom of Information Law, this distinction is potentially critical. If the videos are complete, SUNY might not be able to assert the widely deployed “intra-agency materials” exemption, which allows agencies to withhold such records so long as they do not contain, among other things, “final agency policy or determinations.”

While Dupuis did assert this exemption, it was essentially rendered superfluous by a broader and perhaps more puzzling assertion—that the “proprietary” videos constitute “trade secrets.”

Drawing upon a mid-‘90s New York Court of Appeals ruling on a dispute involving a SUNY auxiliary services corporation, Dupuis argued that because the state university “operates in a highly competitive environment,” disclosure of videos “concerning its risk management and internal control strategies could only assist its competition and adversely impact the university.”

“Ridiculous, to be honest,” Kristin O’Neill said of this claim, adding that governmental entities may only assert the “trade secret” exemption in “very, very limited circumstances.”

Watch the “mid-contract review” presentation of the ERM program here; it starts just before the two-minute mark. If you know anything about the initiative, please get in touch (luke@thealt.com).